<!DOCTYPE html>
<html id="docs" lang="en" class="">
	<head>
	<meta charset="utf-8">
<title>Using ABAC Authorization - Kubernetes</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/png" href="../../../../images/favicon.png">
<link rel="stylesheet" type="text/css" href="../../../../css/base_fonts.css">
<link rel="stylesheet" type="text/css" href="../../../../css/styles.css">
<link rel="stylesheet" type="text/css" href="https://code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.css">
<link rel="stylesheet" type="text/css" href="../../../../css/callouts.css">
<link rel="stylesheet" type="text/css" href="../../../../css/custom-jekyll/tags.css">




<meta name="description" content="Using ABAC Authorization" />
<meta property="og:description" content="Using ABAC Authorization" />

<meta property="og:url" content="https://kubernetes.io/docs/reference/access-authn-authz/abac/" />
<meta property="og:title" content="Using ABAC Authorization - Kubernetes" />

<script
src="https://code.jquery.com/jquery-3.2.1.min.js"
integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
crossorigin="anonymous"></script>
<script
src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js"
integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.js"></script>
<script src="../../../../js/script.js"></script>
<script src="../../../../js/custom-jekyll/tags.js"></script>


	</head>
	<body>
		<div id="cellophane" onclick="kub.toggleMenu()"></div>

<header>
    <a href="../../../../index.html" class="logo"></a>

    <div class="nav-buttons" data-auto-burger="primary">
        <ul class="global-nav">
            
            
            <li><a href="../../../home.1">Documentation</a></li>
            
            <li><a href="../../../../blog/index.html">Blog</a></li>
            
            <li><a href="../../../../partners/index.html">Partners</a></li>
            
            <li><a href="../../../../community/index.html">Community</a></li>
            
            <li><a href="../../../../case-studies/index.html">Case Studies</a></li>
            
            
             <li>
                <a href="index.html#">
                    English <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="../../../../zh/index.html">中文 Chinese</a></li>
                
                    <li><a href="../../../../ko/index.html">한국어 Korean</a></li>
                
                </ul>
            </li>
         
            <li>
                <a href="index.html#">
                    v1.11 <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="https://kubernetes.io">v1.12</a></li>
                
                    <li><a href="../../../../index.html">v1.11</a></li>
                
                    <li><a href="https://v1-10.docs.kubernetes.io">v1.10</a></li>
                
                    <li><a href="https://v1-9.docs.kubernetes.io">v1.9</a></li>
                
                </ul>
            </li>
        </ul>
        
        <a href="../../../tutorials/kubernetes-basics/index.html" class="button" id="tryKubernetes" data-auto-burger-exclude>Try Kubernetes</a>
        <button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
    </div>

    <nav id="mainNav">
        <main data-auto-burger="primary">
        <div class="nav-box">
            <h3><a href="../../../tutorials/stateless-application/hello-minikube/index.html">Get Started</a></h3>
            <p>Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../home.1">Documentation</a></h3>
            <p>Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even <a href="../../../../editdocs/index.html" data-auto-burger-exclude>help contribute to the docs</a>!</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../../community/index.html">Community</a></h3>
            <p>If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../../blog/index.html">Blog</a></h3>
            <p>Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.</p>
        </div>
        </main>
        <main data-auto-burger="primary">
        <div class="left">
            <h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
            <a href="https://github.com/kubernetes/kubernetes" class="button" data-auto-burger-exclude>View On Github</a>
        </div>

        <div class="right">
            <h5 class="github-invite">Explore the community</h5>
            <div class="social">
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>Twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
        </div>
        <div class="clear" style="clear: both"></div>
        </main>
    </nav>
</header>

		
		
		<section id="hero" class="light-text no-sub">
			















<h1>Reference Documentation</h1>
<h5></h5>


<div id="vendorStrip" class="light-text">
	<ul>
		
		
		<li><a href="../../../home.1">DOCUMENTATION</a></li>
		
		
		<li><a href="../../../setup/index.html">SETUP</a></li>
		
		
		<li><a href="../../../concepts/index.html">CONCEPTS</a></li>
		
		
		<li><a href="../../../tasks/index.html">TASKS</a></li>
		
		
		<li><a href="../../../tutorials/index.html">TUTORIALS</a></li>
		
		
		<li><a href="../../../reference.1" class="YAH">REFERENCE</a></li>
		
	</ul>
	<div id="searchBox">
		<input type="text" id="search" placeholder="Search" onkeydown="if (event.keyCode==13) window.location.replace('/docs/search/?q=' + this.value)" autofocus="autofocus">
	</div>
</div>

		</section>
		
		
<section id="deprecationWarning">
  <main>
    <div class="content deprecation-warning">
      <h3>
        Documentation for Kubernetes v1.11 is no longer actively maintained. The version you are currently viewing is a static snapshot.
        For up-to-date documentation, see the <a href="https://kubernetes.io/docs/home/">latest</a> version.
      </h3>
    </div>
  </main>
</section>


		<section id="encyclopedia">
			
<div id="docsToc">
     <div class="pi-accordion">
    	
        
        
        
        
        
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
                          
                          
                 
             
         
             
         
         
        
        <a class="item" data-title="Reference" href="../../../reference.1"></a>

	
	
		
		
<a class="item" data-title="Standardized Glossary" href="../../glossary/index.html"></a>

		
	
		
		
	<div class="item" data-title="Kubernetes Issues and Security">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes Issue Tracker" href="../../issues-security/issues/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Security and Disclosure Information" href="../../issues-security/security/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Using the Kubernetes API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes API Overview" href="../../using-api/api-overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes API Concepts" href="../../using-api/api-concepts/index.html"></a>

		
	
		
		
<a class="item" data-title="Client Libraries" href="../../using-api/client-libraries/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Deprecation Policy" href="../../deprecation-policy.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Accessing the API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Controlling Access to the Kubernetes API" href="../../../admin/accessing-the-api.1"></a>

		
	
		
		
<a class="item" data-title="Authenticating" href="../../../admin/authentication.1"></a>

		
	
		
		
<a class="item" data-title="Authenticating with Bootstrap Tokens" href="../../../admin/bootstrap-tokens/index.html"></a>

		
	
		
		
<a class="item" data-title="Using Admission Controllers" href="../admission-controllers"></a>

		
	
		
		
<a class="item" data-title="Dynamic Admission Control" href="../../../admin/extensible-admission-controllers.md"></a>

		
	
		
		
<a class="item" data-title="Managing Service Accounts" href="../../../admin/service-accounts-admin/index.html"></a>

		
	
		
		
<a class="item" data-title="Authorization Overview" href="../../../admin/authorization/index.html"></a>

		
	
		
		
<a class="item" data-title="Using RBAC Authorization" href="../../../admin/authorization/rbac.1"></a>

		
	
		
		
<a class="item" data-title="Using ABAC Authorization" href="index.html"></a>

		
	
		
		
<a class="item" data-title="Using Node Authorization" href="../../../admin/authorization/node/index.html"></a>

		
	
		
		
<a class="item" data-title="Webhook Mode" href="../../../admin/authorization/webhook/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="API Reference">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Well-Known Labels, Annotations and Taints" href="../../kubernetes-api/labels-annotations-taints/index.html"></a>

		
	
		
		
<a class="item" data-title="v1.11" href="../../kubernetes-api/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Federation API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="extensions/v1beta1 Model Definitions" href="../../federation/extensions/v1beta1/definitions.1"></a>

		
	
		
		
<a class="item" data-title="extensions/v1beta1 Operations" href="../../federation/extensions/v1beta1/operations/index.html"></a>

		
	
		
		
<a class="item" data-title="v1 Model Definitions" href="../../federation/v1/definitions.1"></a>

		
	
		
		
<a class="item" data-title="v1 Operations" href="../../federation/v1/operations/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Setup tools reference">
		<div class="container">
		
		
	
	
		
		
	<div class="item" data-title="Kubeadm">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Overview of kubeadm" href="../../generated/kubeadm/index.html"></a>

		
	
		
		
<a class="item" data-title="kubeadm init" href="../../setup-tools/kubeadm/kubeadm-init.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm join" href="../../setup-tools/kubeadm/kubeadm-join.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm upgrade" href="../../setup-tools/kubeadm/kubeadm-upgrade.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm config" href="../../setup-tools/kubeadm/kubeadm-config.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm reset" href="../../setup-tools/kubeadm/kubeadm-reset.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm token" href="../../setup-tools/kubeadm/kubeadm-token.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm version" href="../../setup-tools/kubeadm/kubeadm-version.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm alpha" href="../../setup-tools/kubeadm/kubeadm-alpha.1"></a>

		
	
		
		
<a class="item" data-title="Implementation details" href="../../setup-tools/kubeadm/implementation-details/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="kubefed">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="kubefed" href="../../../admin/kubefed/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed options" href="../../setup-tools/kubefed/kubefed-options/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed init" href="../../../admin/kubefed_init/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed join" href="../../setup-tools/kubefed/kubefed-join/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed unjoin" href="../../../admin/kubefed_unjoin/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed version" href="../../setup-tools/kubefed/kubefed-version/index.html"></a>

		
	

		</div>
	</div>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Command line tools reference">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Feature Gates" href="../../command-line-tools-reference/feature-gates/index.html"></a>

		
	
		
		
<a class="item" data-title="federation-apiserver" href="../../../admin/federation-apiserver/index.html"></a>

		
	
		
		
<a class="item" data-title="federation-controller-manager" href="../../../admin/federation-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubelet authentication/authorization" href="../../../admin/kubelet-authentication-authorization.1"></a>

		
	
		
		
<a class="item" data-title="TLS bootstrapping" href="../../command-line-tools-reference/kubelet-tls-bootstrapping/index.html"></a>

		
	
		
		
<a class="item" data-title="cloud-controller-manager" href="../../command-line-tools-reference/cloud-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-apiserver" href="../../../admin/kube-apiserver.1"></a>

		
	
		
		
<a class="item" data-title="kube-controller-manager" href="../../generated/kube-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-proxy" href="../../../admin/kube-proxy/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-scheduler" href="../../../admin/kube-scheduler/index.html"></a>

		
	
		
		
<a class="item" data-title="kubelet" href="../../../admin/kubelet.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="kubectl CLI">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="JSONPath Support" href="../../kubectl/jsonpath.1"></a>

		
	
		
		
<a class="item" data-title="Overview of kubectl" href="../../../user-guide/kubectl-overview.1"></a>

		
	
		
		
<a class="item" data-title="kubectl" href="../../../user-guide/kubectl/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl Cheat Sheet" href="../../../user-guide/kubectl-cheatsheet"></a>

		
	
		
		
<a class="item" data-title="kubectl Commands" href="../../kubectl/kubectl-cmds/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl Usage Conventions" href="../../kubectl/conventions/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl for Docker Users" href="../../kubectl/docker-cli-to-kubectl/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
<a class="item" data-title="Tools" href="../../tools/index.html"></a>

		
	






     </div> 
    <button class="push-menu-close-button" onclick="kub.toggleToc()"></button>
</div> 

			<div id="docsContent">
				
<p><a href="../../../editdocs#docs/reference/access-authn-authz/abac.md" id="editPageButton">Edit This Page</a></p>

<h1>Using ABAC Authorization</h1>



<p>Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together.</p>









<ul id="markdown-toc">










<li><a href="index.html#policy-file-format">Policy File Format</a></li>




<li><a href="index.html#authorization-algorithm">Authorization Algorithm</a></li>




<li><a href="index.html#kubectl">Kubectl</a></li>




<li><a href="index.html#examples">Examples</a></li>




<li><a href="index.html#a-quick-note-on-service-accounts">A quick note on service accounts</a></li>



















</ul>


<h2 id="policy-file-format">Policy File Format</h2>

<p>For mode <code>ABAC</code>, also specify <code>--authorization-policy-file=SOME_FILENAME</code>.</p>

<p>The file format is <a href="http://jsonlines.org/" target="_blank">one JSON object per line</a>.  There
should be no enclosing list or map, just one map per line.</p>

<p>Each line is a &ldquo;policy object&rdquo;.  A policy object is a map with the following
properties:</p>

<ul>
<li>Versioning properties:

<ul>
<li><code>apiVersion</code>, type string; valid values are &ldquo;abac.authorization.kubernetes.io/v1beta1&rdquo;. Allows versioning and conversion of the policy format.</li>
<li><code>kind</code>, type string: valid values are &ldquo;Policy&rdquo;. Allows versioning and conversion of the policy format.</li>
</ul></li>
<li><code>spec</code> property set to a map with the following properties:

<ul>
<li>Subject-matching properties:

<ul>
<li><code>user</code>, type string; the user-string from <code>--token-auth-file</code>. If you specify <code>user</code>, it must match the username of the authenticated user.</li>
<li><code>group</code>, type string; if you specify <code>group</code>, it must match one of the groups of the authenticated user. <code>system:authenticated</code> matches all authenticated requests. <code>system:unauthenticated</code> matches all unauthenticated requests.</li>
</ul></li>
<li>Resource-matching properties:

<ul>
<li><code>apiGroup</code>, type string; an API group.</li>
<li>Ex: <code>extensions</code></li>
<li>Wildcard: <code>*</code> matches all API groups.</li>
<li><code>namespace</code>, type string; a namespace.</li>
<li>Ex: <code>kube-system</code></li>
<li>Wildcard: <code>*</code> matches all resource requests.</li>
<li><code>resource</code>, type string; a resource type</li>
<li>Ex: <code>pods</code></li>
<li>Wildcard: <code>*</code> matches all resource requests.</li>
</ul></li>
<li>Non-resource-matching properties:

<ul>
<li><code>nonResourcePath</code>, type string; non-resource request paths.</li>
<li>Ex: <code>/version</code> or <code>/apis</code></li>
<li>Wildcard:

<ul>
<li><code>*</code> matches all non-resource requests.</li>
<li><code>/foo/*</code> matches all subpaths of <code>/foo/</code>.</li>
</ul></li>
</ul></li>
<li><code>readonly</code>, type boolean, when true, means that the Resource-matching policy only applies to get, list, and watch operations, Non-resource-matching policy only applies to get operation.</li>
</ul></li>
</ul>

<p><strong>NOTES:</strong> An unset property is the same as a property set to the zero value for its type
(e.g. empty string, 0, false). However, unset should be preferred for
readability.</p>

<p>In the future, policies may be expressed in a JSON format, and managed via a
REST interface.</p>

<h2 id="authorization-algorithm">Authorization Algorithm</h2>

<p>A request has attributes which correspond to the properties of a policy object.</p>

<p>When a request is received, the attributes are determined.  Unknown attributes
are set to the zero value of its type (e.g. empty string, 0, false).</p>

<p>A property set to <code>&quot;*&quot;</code> will match any value of the corresponding attribute.</p>

<p>The tuple of attributes is checked for a match against every policy in the
policy file. If at least one line matches the request attributes, then the
request is authorized (but may fail later validation).</p>

<p>To permit any authenticated user to do something, write a policy with the
group property set to <code>&quot;system:authenticated&quot;</code>.</p>

<p>To permit any unauthenticated user to do something, write a policy with the
group property set to <code>&quot;system:unauthenticated&quot;</code>.</p>

<p>To permit a user to do anything, write a policy with the apiGroup, namespace,
resource, and nonResourcePath properties set to <code>&quot;*&quot;</code>.</p>

<h2 id="kubectl">Kubectl</h2>

<p>Kubectl uses the <code>/api</code> and <code>/apis</code> endpoints of api-server to negotiate
client/server versions. To validate objects sent to the API by create/update
operations, kubectl queries certain swagger resources. For API version <code>v1</code>
those would be <code>/swaggerapi/api/v1</code> &amp; <code>/swaggerapi/experimental/v1</code>.</p>

<p>When using ABAC authorization, those special resources have to be explicitly
exposed via the <code>nonResourcePath</code> property in a policy (see <a href="index.html#examples">examples</a> below):</p>

<ul>
<li><code>/api</code>, <code>/api/*</code>, <code>/apis</code>, and <code>/apis/*</code> for API version negotiation.</li>
<li><code>/version</code> for retrieving the server version via <code>kubectl version</code>.</li>
<li><code>/swaggerapi/*</code> for create/update operations.</li>
</ul>

<p>To inspect the HTTP calls involved in a specific kubectl operation you can turn
up the verbosity:</p>

<pre><code>kubectl --v=8 version
</code></pre>

<h2 id="examples">Examples</h2>

<ol>
<li><p>Alice can do anything to all resources:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{<span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;Policy&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {<span style="color:#008000;font-weight:bold">&#34;user&#34;</span>: <span style="color:#b44">&#34;alice&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;namespace&#34;</span>: <span style="color:#b44">&#34;*&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;resource&#34;</span>: <span style="color:#b44">&#34;*&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;apiGroup&#34;</span>: <span style="color:#b44">&#34;*&#34;</span>}}</code></pre></div></li>

<li><p>Kubelet can read any pods:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{<span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;Policy&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {<span style="color:#008000;font-weight:bold">&#34;user&#34;</span>: <span style="color:#b44">&#34;kubelet&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;namespace&#34;</span>: <span style="color:#b44">&#34;*&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;resource&#34;</span>: <span style="color:#b44">&#34;pods&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;readonly&#34;</span>: <span style="color:#a2f;font-weight:bold">true</span>}}</code></pre></div></li>

<li><p>Kubelet can read and write events:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{<span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;Policy&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {<span style="color:#008000;font-weight:bold">&#34;user&#34;</span>: <span style="color:#b44">&#34;kubelet&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;namespace&#34;</span>: <span style="color:#b44">&#34;*&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;resource&#34;</span>: <span style="color:#b44">&#34;events&#34;</span>}}</code></pre></div></li>

<li><p>Bob can just read pods in namespace &ldquo;projectCaribou&rdquo;:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{<span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;Policy&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {<span style="color:#008000;font-weight:bold">&#34;user&#34;</span>: <span style="color:#b44">&#34;bob&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;namespace&#34;</span>: <span style="color:#b44">&#34;projectCaribou&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;resource&#34;</span>: <span style="color:#b44">&#34;pods&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;readonly&#34;</span>: <span style="color:#a2f;font-weight:bold">true</span>}}</code></pre></div></li>

<li><p>Anyone can make read-only requests to all non-resource paths:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{<span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;Policy&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {<span style="color:#008000;font-weight:bold">&#34;group&#34;</span>: <span style="color:#b44">&#34;system:authenticated&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;readonly&#34;</span>: <span style="color:#a2f;font-weight:bold">true</span>, <span style="color:#008000;font-weight:bold">&#34;nonResourcePath&#34;</span>: <span style="color:#b44">&#34;*&#34;</span>}}
{<span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;Policy&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {<span style="color:#008000;font-weight:bold">&#34;group&#34;</span>: <span style="color:#b44">&#34;system:unauthenticated&#34;</span>, <span style="color:#008000;font-weight:bold">&#34;readonly&#34;</span>: <span style="color:#a2f;font-weight:bold">true</span>, <span style="color:#008000;font-weight:bold">&#34;nonResourcePath&#34;</span>: <span style="color:#b44">&#34;*&#34;</span>}}</code></pre></div></li>
</ol>

<p><a href="http://releases.k8s.io/v1.11.3/pkg/auth/authorizer/abac/example_policy_file.jsonl" target="_blank">Complete file example</a></p>

<h2 id="a-quick-note-on-service-accounts">A quick note on service accounts</h2>

<p>A service account automatically generates a user. The user&rsquo;s name is generated
according to the naming convention:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">system:serviceaccount:&lt;namespace&gt;:&lt;serviceaccountname&gt;</code></pre></div>
<p>Creating a new namespace also causes a new service account to be created, of
this form:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">system:serviceaccount:&lt;namespace&gt;:default</code></pre></div>
<p>For example, if you wanted to grant the default service account in the
kube-system full privilege to the API, you would add this line to your policy
file:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{<span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>:<span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>,<span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>:<span style="color:#b44">&#34;Policy&#34;</span>,<span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>:{<span style="color:#008000;font-weight:bold">&#34;user&#34;</span>:<span style="color:#b44">&#34;system:serviceaccount:kube-system:default&#34;</span>,<span style="color:#008000;font-weight:bold">&#34;namespace&#34;</span>:<span style="color:#b44">&#34;*&#34;</span>,<span style="color:#008000;font-weight:bold">&#34;resource&#34;</span>:<span style="color:#b44">&#34;*&#34;</span>,<span style="color:#008000;font-weight:bold">&#34;apiGroup&#34;</span>:<span style="color:#b44">&#34;*&#34;</span>}}</code></pre></div>
<p>The apiserver will need to be restarted to pickup the new policy lines.</p>














				<div class="issue-button-container">
					<p><a href="index.html"><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/reference/access-authn-authz/abac.md?pixel" alt="Analytics" /></a></p>
					
					
					<script type="text/javascript">
					PDRTJS_settings_8345992 = {
					"id" : "8345992",
					"unique_id" : "\/docs\/reference\/access-authn-authz\/abac\/",
					"title" : "Using ABAC Authorization",
					"permalink" : "https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/abac\/"
					};
					(function(d,c,j){if(!document.getElementById(j)){var pd=d.createElement(c),s;pd.id=j;pd.src=('https:'==document.location.protocol)?'https://polldaddy.com/js/rating/rating.js':'http://i0.poll.fm/js/rating/rating.js';s=document.getElementsByTagName(c)[0];s.parentNode.insertBefore(pd,s);}}(document,'script','pd-rating-js'));
					</script>
					<a href="index.html" onclick="window.open('https://github.com/kubernetes/website/issues/new?title=Issue%20with%20' +
					'k8s.io'+window.location.pathname)" class="button issue">Create an Issue</a>
					
					
					
					<a href="../../../editdocs#docs/reference/access-authn-authz/abac.md" class="button issue">Edit this Page</a>
					
				</div>
			</div>
		</section>
		<footer>
    <main class="light-text">
        <nav>
            
            
            
            <a href="../../../home.1">Documentation</a>
            
            <a href="../../../../blog/index.html">Blog</a>
            
            <a href="../../../../partners/index.html">Partners</a>
            
            <a href="../../../../community/index.html">Community</a>
            
            <a href="../../../../case-studies/index.html">Case Studies</a>
            
        </nav>
        <div class="social">
            <div>
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
            </div>
            <div>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
            <div>
                <a href="../../../getting-started-guides/index.html" class="button">Get Kubernetes</a>
                <a href="https://git.k8s.io/community/contributors/guide" class="button">Contribute</a>
            </div>
        </div>
        <div id="miceType" class="center">
            &copy; 2018 The Kubernetes Authors | Documentation Distributed under <a href="https://git.k8s.io/website/LICENSE" class="light-text">CC BY 4.0</a>
        </div>
        <div id="miceType" class="center">
            Copyright &copy; 2018 The Linux Foundation&reg;. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage" class="light-text">Trademark Usage page</a>
        </div>
    </main>
</footer>

		<button class="flyout-button" onclick="kub.toggleToc()"></button>

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-36037335-10', 'auto');
ga('send', 'pageview');


(function () {
    window.addEventListener('DOMContentLoaded', init)

        
        function init() {
            window.removeEventListener('DOMContentLoaded', init)
                hideNav()
        }

    function hideNav(toc){
        if (!toc) toc = document.querySelector('#docsToc')
        if (!toc) return
            var container = toc.querySelector('.container')

                
                if (container) {
                    if (container.childElementCount === 0 || toc.querySelectorAll('a.item').length === 1) {
                        toc.style.display = 'none'
                            document.getElementById('docsContent').style.width = '100%'
                    }
                } else {
                    requestAnimationFrame(function () {
                        hideNav(toc)
                    })
                }
    }
})();
</script>



	</body>
</html>